// newControllerUserFromGroup returns a permission.UserAccess that serves
// as a stand-in for a user that has group access but no explicit user
// access.
func newControllerUserFromGroup(everyoneAccess permission.UserAccess,
userTag names.UserTag) permission.UserAccess {
everyoneAccess.UserTag = userTag
everyoneAccess.UserID = strings.ToLower(userTag.Canonical())
everyoneAccess.UserName = userTag.Canonical()
return everyoneAccess
}
// maybeUseGroupPermission returns a permission.UserAccess updated
// with the group permissions that apply to it if higher than
// current.
// If the passed UserAccess is empty (controller user lacks permissions)
// but the group is not, a stand-in will be created to hold the group
// permissions.
func maybeUseGroupPermission(
userGetter userAccessFunc,
externalUser permission.UserAccess,
controllerTag names.ControllerTag,
userTag names.UserTag,
) (permission.UserAccess, error) {
everyoneTag := names.NewUserTag(EveryoneTagName)
everyone, err := userGetter(everyoneTag, controllerTag)
if errors.IsNotFound(err) {
return externalUser, nil
}
if err != nil {
return permission.UserAccess{}, errors.Trace(err)
}
if permission.IsEmptyUserAccess(externalUser) &&
!permission.IsEmptyUserAccess(everyone) {
externalUser = newControllerUserFromGroup(everyone, userTag)
}
if everyone.Access.EqualOrGreaterControllerAccessThan(externalUser.Access) {
externalUser.Access = everyone.Access
}
return externalUser, nil
}